KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

.NET MSc in Distributed Systems David Grey Rob Miles University of Hull, UK.
Department of Mathematics and Computer Science
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Reseach in DistriNet (department of computer science, K.U.Leuven) General overview and focus on embedded systems task-force.
CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
1 CMSC 132: Object-Oriented Programming II Software Development III Department of Computer Science University of Maryland, College Park.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
VS.NET Course Introduction By Peter Huang. About Me Peter Huang –Microsoft Certified Solution Developer (MCSD) –Sun Certified Java 2 Programmer (SCJP)
UNIT-V The MVC architecture and Struts Framework.
New experiences with teaching Java as a second programming language Ioan Jurca “Politehnica” University of Timisoara/Romania
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
1 Why C# and Why.NET in the Undergraduate IS Curriculum ISECON November 3 -7, 2004, Newport, RI Association of Information Technology Professionals Mehdi.
Copyright © 2009 On The Edge Software Consulting Advanced Enterprise Java Instructional Plan Presentation Tier Design using an Event Driven Design Methodology.
Introduction to the Enterprise Library. Sounds familiar? Writing a component to encapsulate data access Building a component that allows you to log errors.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
Computer Network Fundamentals CNT4007C
Introduction to .Net Framework
1 8/29/05CS360 Windows Programming Professor Shereen Khoja.
C# A 1 CSC 298 Introduction to C#. C# A 2 What to expect in this class  Background: knowledge of an object oriented language of the C++, Java, … family.
Lecture Set 1 Part B: Understanding Visual Studio and.NET – Structure and Terminology 1/16/ :04 PM.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
SWE 316: Software Design and Architecture – Dr. Khalid Aljasser Objectives Lecture 11 : Frameworks SWE 316: Software Design and Architecture  To understand.
Computer Networks CEN 5501C Spring, 2008 Ye Xia (Pronounced as “Yeh Siah”)
SOME IMPORTANT FACTORS IN TEACHING SOFTWARE ENGINEERING COURSES Presenter: Jingzhou Li Depart of ECE, University of Calgary,
Introduction to Network Security J. H. Wang Feb. 24, 2011.
C# Overview and Features. Content I.History of C# II.Architecture III.How to install IV.Features V.Code Sample VI.Microsoft.NET Platform VII.Why use C#
Java Teaching Workshop Y. Daniel Liang May 20, 2002 At NCC.
CS795/895: Introduction. Topics Distributed Systems –Availability –Performance –Web Services Security –Authentication –Authorization –Confidentiality.
@Yuan Xue CS 285 Network Security Fall 2008.
Dynamic Content On Edge Cache Server (using Microsoft.NET) Name: Aparna Yeddula CS – 522 Semester Project Project URL: cs.uccs.edu/~ayeddula/project.html.
CSCD 434 Network Security Spring 2014 Lecture 1 Course Overview.
Basic Security: Java vs.NET Master Seminar Advanced Software Engineering Topics Prof. Jacques Pasquier-Rocha Software Engineering Group Department of Informatics.
January 25, 2006copyright Thomas Pole , all rights reserved 1 Software Reuse: History 1980 to 2005 History: Changes to Software Reuse Driven by.
Early Adopter: Integrating Concepts from Parallel and Distributed Computing into the Undergraduate Curriculum Eileen Kraemer Computer Science Department.
KATHOLIEKE UNIVERSITEIT LEUVEN 1 Run time enforcement of security policies on the.NET framework Frank Piessens Joint work with many people including Lieven.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
.Net Security and performance
ISYS 812 Business Software Development David Chao.
Dale Smith COSC 4010 Computer Security Authentication & Security in the.NET environment.
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium.
A security framework combining access control and trust management for mobile e-commerce applications Gregor v.Bochmann, Zhen Zhang, Carlisle Adams School.
Lecture 1: Overview of CSCI 485 Notes: I presented parts of this lecture as a keynote at Educator’s Symposium of OOPSLA Shahram Ghandeharizadeh Associate.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
By: PHANIDEEP NARRA. OVERVIEW Definition Motivation.NET and J2EE Architectures Interoperability Problems Interoperability Technologies Conclusion and.
PRIOR TO WEB SERVICES THE OTHER TECHNOLOGIES ARE:.
Introduction to Information Security J. H. Wang Sep. 18, 2012.
CS562 Advanced Java and Internet Application Introduction to the Computer Warehouse Web Application. Java Server Pages (JSP) Technology. By Team Alpha.
Boris Milašinović Faculty of Electrical Engineering and Computing University of Zagreb, Croatia 15th Workshop on "Software Engineering Education and Reverse.
Instructional Plan Template | Slide 1 AET/515 Instructional Plan Advanced Enterprise Java Platform Training Presentation Tier Design using an Event Driven.
C# and.NET. .NET Architecture  Compiling and running code that targets.NET  Advantages of Microsoft Intermediate Language (MSIL)  Value and Reference.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Computer Networks CNT5106C
Lecture Set 1 Part B: Understanding Visual Studio and.NET – Structure and Terminology 1/16/ :04 PM.
SOA Concepts Service Oriented Architecture Johns-Hopkins University Montgomery County Center, Spring 2009 Session 1: January 28, 2009 Instructor:
Introduction to Information Systems SSD1: Introduction to Information Systems Unit 1. The World Wide Web Unit 2. Introduction to Java and Object- Oriented.
CSC 222: Computer Programming II
Done By: Ashlee Lizarraga Ricky Usher Jacinto Roches Eli Gomez
Server Concepts Dr. Charles W. Kann.
Security mechanisms and vulnerabilities in .NET
Dot Net ​ Overview  The.NET Framework is a development framework that provides a new programming interface to Windows services and APIs, and integrates.
CSCD 434 Network Security Spring 2012 Lecture 1 Course Overview.
Security & .NET 12/1/2018.
CSCD 434 Network Security Spring 2019 Lecture 1 Course Overview.
Towards Integrating Java EE into ProtoCom
Lecture 1: Overview of CSCI 485 Notes: I presented parts of this lecture as a keynote at Educator’s Symposium of OOPSLA Shahram Ghandeharizadeh Director.
Lecture 1: Overview of CSCI 485 Notes: I presented parts of this lecture as a keynote at Educator’s Symposium of OOPSLA Shahram Ghandeharizadeh Associate.
Presentation transcript:

KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop2 Who am I Professor at the Department of Computer Science, KULeuven, Belgium Member of the DistriNet research group on distributed systems and computer networks Research focus: –Software security: secure programming languages, security in component models and frameworks, security engineering

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop3 Why am I here? Our university has a “security-intensive” computer science curriculum The “secure software” course was an early adopter of.NET technologies in university course Report on our experiences integrating.NET into that course

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop4 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop5 Introduction Software is more and more Internet accessible => importance of software security increases Developing secure software is a complex matter –Complex technologies –Binding security technologies to an application is hard –Implementation vulnerabilities –Hard to test security –… Hence, it is important to integrate courses on secure software development in computer science curricula

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop6 Introduction At the K.U.Leuven, we started developing such a course 5 years ago –It is being taught for the 5 th time to an average of some 100 students per year –Fragments of the course have been presented At industry conferences At academic conferences –Teaching materials for the course are available on the web (see URL at the end of the presentation)

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop7 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop8 Overview of the course Part I: Introduction Part II : Security Technologies –Security technology = reusable algorithm/ model/ service that realizes a security objective Part III: Building Secure Applications –Secure application: application that enforces correct rules of usage By correct and appropriate use of security technologies By ensuring high quality of implementation Part IV: Conclusion

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop9 Overview of the course Part I: Introduction –General security concepts: threat, vulnerability, countermeasure, risk, … –Security for an administrator versus security for a developer –Case study: perform a threat and vulnerability analysis on a simplified system

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop10 Overview of the course Part II: Software Security Technologies –Cryptographic primitives –Cryptographic Service Provider based libraries –Cryptographic protocols –Software interfaces to protocols –Access control models –Access control in operating systems and application servers –Untrusted code security

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop11 Overview of the course Part III: Secure Software Applications –Threat analysis –Secure design principles –Integrating security technologies in applications –Implementation vulnerabilities –Enriching a software engineering process for security Part IV: Conclusion –Case study revisited –Current challenges

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop12 Overview of the course What is available online? –The course is given at our university as a 20h course with 30h time for exercises/projects Slides are available for most of the lectures Lecture notes are available for approximately half of the lectures A web site with related links for all covered material Project assignments (not solutions)

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop13 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop14 Case studies and projects on.NET The course is a conceptual course, but illustrates concepts with their implementation in real-life systems The.NET Framework is used to illustrate implementation of most of the security technologies in Part II of the course –The cryptographic libraries in.NET are discussed as an example implementation of a CSP based crypto library –Code Access Security is discussed as an example implementation of untrusted code sandboxing –.NET declarative role based access control is discussed as an example implementation of application level access control

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop15 Case studies and projects on.NET The.NET material is relatively new –Before: Java and Windows 2000 –Does the.NET case add value with respect to the Java case? Two examples: –Comparison of crypto libraries in Java and.NET –Comparison of sandboxing in Java and.NET

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop16 Crypto libraries All modern cryptographic libraries are structured around the concept of Cryptographic Service Providers (CSP) Cryptographic framework CSP1CSP2CSP3 … SPI API App1App2App3 …

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop17 Crypto libraries Java and.NET implement decoupling differently –Java: decoupling based on the bridge design pattern API objects encapsulate an SPI object that does the real work –.NET: decoupling based on inheritance SPI classes inherit from API classes

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop18 Sandboxing in Java and.NET Both Java and.NET implement stack inspection based configurable sandboxing But again, both implementations differ significantly –Integration of user based access control is different –Granularity of permissions and stack walk modifiers is different –Extensibility is different –…

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop19 Projects and exercises on.NET Students can do projects and exercises on the.NET framework or the SSCLI (Rotor) We distinguish three “levels”: –Simple exercises: a few hours of work –Implementation projects: 20 – 40 hours of teamwork –Advanced projects: several hundred hours of work, typically in the context of a master thesis Some of them closely linked to our research E.g. Context bound objects for application level access control

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop20 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop21 Example implementation project: pluggable authentication Problem statement: In the.NET framework, authentication can be done: –By relying on Windows authentication –By custom developed authentication code Both approaches have their disadvantages.

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop22 Example implementation project: pluggable authentication Assignment: Design an authentication framework for.NET. The framework should offer a simple uniform authentication API to applications. Implementations of authentication mechanisms should be easy to plug into the framework. The selection of what authentication mechanisms to use should be set by a configuration file. Authentication should be well integrated with role based authorization.

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop23 Example implementation project: pluggable authentication Discussion: The project introduces students to many aspects of.NET security: –Use of the crypto API’s –User based access control –Building a secure assembly An example solution (PAM.NET) that runs on Rotor and the CLR was developed by Bert Lagaisse.

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop24 Example advanced project: typing information as evidence Problem statement: –Type systems increase security in a number of ways. –Supporting a new type system in a programming language or in MSIL is a substantial effort. –Can the Code Access Security system be used to check security-related type information?

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop25 Example advanced project: typing information as evidence Assignment: Pick a security relevant type system (e.g. types for safe concurrency), and design a new kind of evidence that captures the type information in that system. Design typing rules for IL, and implement a verifier. Integrate the verifier with the Code Access Security system.

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop26 Example advanced project: typing information as evidence Discussion: Students gain deep knowledge about: –IL and IL typing –The Code Access Security System A simplified version of the assignment was implemented by a master thesis student.

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop27 Some other projects Implementing a Cryptographic Service Provider –Last year, two students integrated the Belgian EID in the.NET Crypto Libraries Reusing Code Access Security checks for role based access control Design and implement a SOAP firewall Design and implementation of applications that use the security API’s intensively –Secured chat application –Simple encrypting file system –Runtime extensible applications –…

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop28 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop29 Conclusion Importance of software security is high and growing Inclusion of dedicated courses in curricula is desirable Our software security course is still in evolution but is slowly stabilizing as a: – Conceptual course –With illustrations of the concepts on the two application development platforms of the future (Java and.NET), as well as on operating systems/middleware/databases Course materials are available (in draft form) at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.